b'U.S. Department of                                               Office of Inspector General\nTransportation                                                   Washington, D.C. 20590\nOffice of the Secretary\nof Transportation\n\nAugust 4, 2006\n\nThe Honorable Mark V. Rosenker\nActing Chairman\nNational Transportation Safety Board\n490 L\xe2\x80\x99Enfant Plaza, S.W.\nWashington, D.C. 20594\n\nDear Acting Chairman Rosenker:\n\nWe will be performing a limited review of the National Transportation Safety Board\xe2\x80\x99s\n(NTSB) information security program this year to meet the reporting requirements of the\nFederal Information Security Management Act of 2002 (FISMA). The audit objective is\nto determine the effectiveness of NTSB\xe2\x80\x99s information security program. Specifically, we\nwill evaluate (1) whether system risks were properly assessed and security weaknesses\nwere reported for corrections, (2) the effectiveness of the enhanced network security\noperations, and (3) the progress made by NTSB in protecting sensitive agency\ninformation.\n\nThe decision to do a limited review again this year is based on the current status of\nNTSB\xe2\x80\x99s information security program. During Fiscal Year (FY) 2006, NTSB has made a\nconcerted effort to correct security weaknesses identified in the past, including\nestablishing a new Chief Information Officer position; submitting progress reports to the\nCongress; providing security training to all employees; and, most noticeably, enhancing\nnetwork security protection against both internal and external attacks.\n\nOne area that NTSB did not make sufficient progress in was reviewing, testing,\ncertifying, and accrediting its information systems as adequately secured to support\nNTSB operations. This process, called certification and accreditation (C&A), serves as\nthe backbone for implementing a viable information security program. Last year, we\nrecommended that NTSB assign a high priority to completing the C&A review of its\nhigh-risk (most critical) systems. NTSB has since concluded that it has no high-risk\nsystems and is now developing plans to perform C&A reviews on its systems. Given that\n\x0c                                                                                                                         2\n\nNTSB has not accredited any of its systems, 1 a complete review by our office is not\nwarranted. We met with the Deputy Managing Director and Acting Chief Information\nOfficer several times to discuss improvement to the C&A review process.\n\nFirst, NTSB should consider disaggregating its systems inventory into smaller and more\ndiscrete entities to better align system ownership and to accelerate the security review\nprocess. NTSB initially reported only three systems for its entire inventory: the\nFinancial Management System, Accident Investigation System, and General Support\nSystem. However, these systems perform 33 functions, some of which are not related\neven though they were grouped together under the same system. For example, the\nGeneral Support System contains components supporting not only the network\ninfrastructure but also facilities, fleet, and equipment management. After discussing this\nissue with us, NTSB officials increased the system inventory from three to six by\n\xe2\x80\x9cunbundling\xe2\x80\x9d functions that were previously embedded under the Accident Investigation\nSystem and the General Support System. 2 We commend this action and recommend\nNTSB reevaluate separating out components associated with the Financial Management\nSystem, too.\n\nSecond, NTSB should consider having more specific risk assessments to help prioritize\nits security review activity. The agency rated all systems as having the medium level of\nrisk. We are concerned that under this assessment, all systems will receive the same level\nof security protection, even though some components are more sensitive than others. For\nexample, the components used to analyze aircraft black-box recordings or to track the\nfamilies of accident victims should receive a higher level of risk and protection than other\ncomponents, such as policy and guidance tracking. NTSB officials informed us that they\nhave correctly assessed the level of risk associated with each system. We plan to further\nevaluate this issue during the audit.\n\nThe audit will be conducted at NTSB Headquarters in Washington, D.C. We will contact\nyour staff to establish an entrance conference. The project manager for the audit is\nHenry Lee. If you have any questions, please call me at (202) 366-1496, or\nEd Densmore, Program Director, at (202) 366-4350.\n\nSincerely,\n\nRebecca Leng\nAssistant Inspector General\n for Financial and Information Technology Audits\n\n1\n    NTSB processes its accounting, payroll, and travel transactions on the Department of the Interior\xe2\x80\x99s financial\n    management systems. Interior has certified these systems for the portion that it is responsible for. However,\n    Interior\xe2\x80\x99s certifications do not address operations that individual customer are responsible for, such as the integrity\n    of data input into the system by the customer.\n2\n    The three new systems are the Telecommunications System, Physical Security System, and Laboratory\n    Environment System.\n\x0c'